One-time authentication tokens are used to realize two-factor authentication according to which a traditional passcode-based user-authentication method (using a secret you know) is augmented with a one-time passcode that is produced by an authentication token (i.e., a secret produced by something you possess). The two factors collectively provide a stronger authentication method.
One-time authentication tokens typically produce a series of unpredictable one-time passcodes on a regular time basis, i.e., in specified time intervals often called epochs. Passcodes are unpredictable as they get produced in a pseudorandom manner using a secret state, often referred to as a seed, that is stored at the token and also shared with the server. Tokens can either be software or hardware based. Software tokens produce passcodes on-demand, whenever the token's application is launched in the host device, where a series of passcodes is generated for the epochs following the launching of the application. Hardware tokens typically produce passcodes on a permanent basis, one passcode per epoch, for the entire lifetime of their battery. Overall, such tokens produce a time-based series of unpredictable one-time passcodes by employing their seed to generate pseudorandom bits that are converted to passcodes.
The security of any one-time authentication token collapses if an attacker obtains access to the secret seed of the token. Using the seed, the attacker can clone the token and reconstruct the series of passcodes that the token will produce. Indeed, the attacker can use the token's seed to reproduce the pseudorandom numbers used for passcode generation, effectively breaking the unpredictability of the passcodes. In turn, the attacker can increase its chances for impersonating the corresponding user, by either performing a brute-force attack on the user's PIN or by launching a more sophisticated man-in-the-middle attack for harvesting the user's PIN.
Since the security of the token is based on a secret seed, the attacker will attempt to obtain this secret seed. There are three forms of attack that an attacker can employ to obtain access to the secret seed of the token of a target victim user. Under a server compromise attack, the attacker compromises the authentication server and obtains the secret seed of the tokens of one or more users. With a token tampering attack, the attacker compromises the token and obtains the secret seed of the token. Finally, with a seed capturing attack, the attacker obtains the secret seed of the token indirectly by attacking a storage or communication unit used to store or transfer the token's seed, or through side-channel attacks performed against the token or the server.
A need therefore exists for one-time authentication tokens that protect against the above types of attacks that attempt to obtain the secret seed of one or more tokens. A further need exists for configurable one-time authentication tokens.